How old-fashioned hacking may have taken Clorox off store shelves for months

There’s a reason you’ve maybe been struggling to find Clorox products on store shelves: For the last two months, the consumer products giant has been struggling with a large-scale bleach breach.

On Aug. 14, Clorox—which makes not only its namesake bleach but also Glad trash bags and Burt’s Bees skin products—announced in a regulatory filing that it discovered “unauthorized activity” in its computer systems. More than a month later, on Sept. 18, the company filed another disclosure indicating that the attack took many of its automated systems offline—including those by which large retailers order products. When big box retailers like Walmart and Target order their products, Clorox has had to process those orders manually, leading to a slowdown of operations and fewer products making it to store shelves.

Last month, Clorox said it believed the attack was finally “contained,” but expected there to be a “material” impact to its quarterly financial results. In preliminary results released on Oct. 4, Clorox said its sales fell 21-26% during the fiscal quarter due to the attack. Beyond the revenue hit, there’s been a new cost—actually responding to the hack. Last week, the company said it’s already spent $25 million securing its systems after they were breached.

In turn, Clorox stock has plummeted 25%—from $160 per share to $120—since the company first announced the breach in August.

Clorox isn’t the only major company to get hacked recently, but the others might feel like more natural targets. When MGM Resorts International was hacked, slot machines went dark, hotel room keycards stopped working, and guests waited for hours to check into their rooms. The hack, first disclosed on Sept. 11, dragged on for 10 days before the company announced it was “back to normal operations.”

Around the same time, hackers breached Caesars Entertainment, threatening to release sensitive customer data including driver’s license and social security numbers unless the company coughed up $30 million as ransom. Caesars paid $15 million—half of the requested amount—in the name of protecting customers.

While casinos, banks, and other cash-facing businesses seem like obvious targets for extortionary cyber-criminals, that’s mostly an illusion, cybersecurity experts told Fast Company. It’s not that casinos aren’t ripe for hackers, more so because every large company is.

Sometimes boring companies get hacked too.

So, how did this actually happen? It’s suspected that Clorox, MGM, and Caesars were all victims of what’s called social engineering.

Social engineering attacks target people in order to gain access to computer systems. Hackers often used simple methods like phone calls and text messages to get employees and vendors to open the digital doorway. “Social engineering attacks the human component to breach security,” says Katie Moussouris, founder and CEO of Luta Security. “Calling a help desk to impersonate a valid user or fooling someone into clicking a link to malicious software or redirecting users to a site that mimics a legitimate login page to harvest their passes are all examples of social engineering attacks.”

It’s been difficult to divine how exactly hackers gained access to these companies. Only Caesars has confirmed it was breached through a social engineering attack, divulging that one of its third-party IT vendors was compromised, allowing the hackers to gain access to their systems. In recent years, social engineering attacks have been used to breach major U.S. companies like Uber, Twilio, and Twitter.

Rachel Tobac, the CEO of SocialProof Security, thinks there’s a good reason why these seemingly old-fashioned attacks are coming back in style. “We just see the same social engineering methods playing out time and time again because our technical tools have gotten stronger,” she says. “Our technical tools can catch the phishing emails, so now attackers are going back to basics with phone calls like they used to back in the day. It feels like a throwback, but it’s what they do now because it’s what works.”

MGM has not publicly confirmed that social engineering is to blame, but multiple news outlets, including Bloomberg and Reuters, have reported that the MGM and Caesars attacks were both executed by a group called Scattered Spider, known for their social engineering attacks. Bloomberg recently suggested that the group might be behind the Clorox hack as well, though the company has not publicly confirmed as much.

David Bradbury, the chief security officer of the identity verification company Okta—used by both MGM and Caesars—has indicated that “all signs are pointing” to Scattered Spider as the culprit behind the Clorox cyberattack. On Aug. 31, Okta issued a public advisory warning that social engineering attackers have been targeting IT help desks and manipulating technicians into handing over access or credentials.

Tobac says these can be some of the toughest attacks to preempt. “Human beings are fallible, we’re not technology,” she tells Fast Company. “Whereas computers can be protected by updating software, we have to update the way that people think about attacks.”

And, as the Clorox hack shows, cyberattacks don’t just target cash-facing operations like casinos. Luta Security’s Moussouris wants all companies to heed that warning.“Attackers operate towards efficiency and return on their investment, seeking targets of opportunity, especially in the age of ransomware,” she says. “Ransomware and being able to receive payment in cryptocurrency turned many organizations that might not have seemed interesting to attack into potential piggy banks.”

https://www.fastcompany.com/90967250/how-old-fashioned-hacking-may-have-taken-clorox-off-store-shelves-for-months?partner=rss&utm_source=rss&utm_medium=feed&utm_campaign=rss+fastcompany&utm_content=rss